Credential Dumping by Exploiting Security Support Provider

Written by: Vikram Navali – Senior Technical Product Manager -Windows operating systems have authentication mechanisms to automatically execute libraries or programs when the computer system boots up or during the user account login. The organization can configure this function by placing these programs at designated locations or configuring them in a Windows Registry entry. Attackers can find a way to maintain persistence by modifying these system configurations or registering malicious Dynamic-Link Library (DLL) programs such as a Security Support Provider (SSPs) during system boot and escalate privileges.